Setting Up a Firewall Under OpenBSD

07/05/2000

A lot of hype today surrounds the word "firewall"; some of this is
corporate-fabricated and some of it relates to the actual functionality of a
firewall. The commonly purveyed misconception is that a firewall is some sort of magical network security device that will put an end to every admin's security concerns. This couldn't be further from the truth; a firewall is designed to provide advanced IP services such as packet filtering, port forwarding, and network address translation. This said, a correctly configured firewall should be a part of every secure network. It's just not the be-all and end-all of network security.

One of the most common firewall implementations (and a good one for educational purposes) is an NAT (Network Address Translation) machine that acts as an internet access gateway for a small network. This is similar in functionality to Linux's IPMASQ features, yet quite different in terms of configuration and implementation. Assuming simple network configuration and services have been dealt with (as discussed in the previous articles of this series), we can proceed to configure the system:

This enables IP filtering and IP network address translation on the system. These two systems, known as IPF and IPNAT, are the two OpenBSD firewall tools. IPF is used for things like packet filtering and ICMP control, while IPNAT handles functions like network address translation and port forwarding.

2. Edit the /etc/ipnat.rules file:

map ep0 192.168.0.0/24 -> ep0/32 portmap tcp/udp 10000:20000

This line does basic NAT to provide internet access to the subnet.
To provide a breadown of the syntax:

map ep0 192.168.0.0/24 -> ep0/32

This tells IPNAT to map traffic from the internal address range

192.168.0.x

The live interface ep0.

portmap tcp/udp 10000:20000

This tells IPNAT to map all tcp/udp traffic to ports in the range
of 10000:20000.

3. Edit /etc/sysctl.conf to allow IP forwarding:

net.inet.ip.forwarding=1
# 1=Permit forwarding (routing) of packets

This enables IP forwarding, which is a pre-requisite of IPNAT.

After a reboot, the system should now operate as a gateway for client machines within the 192.168.0.x range. To expand upon this example, let's now apply some simple firewall rules to the system. To do this, we'll need to edit the /etc/ipf.rules file, which dictates IPF configuration. I've taken a few examples here from OpenBSD's /usr/share/ipf/ documentation:

1. By default, pass all packets through the firewall:

pass out from any to any
pass in from any to any

2. Block and log malformed and dangerous packets, namely ICMP redirect packets and extremely short fragmented packets, where ep0 is our live interface:

block in log quick on ep0 proto icmp from any to any icmp-type redir
block in log quick on ep0 proto tcp/udp all with short

3. Block all UDP traffic except for DNS:

block in on ep0 proto udp from any to any
pass in on ep0 proto udp from any to any port = domain

4. Block and log any spoofed packets (any packets from "internal" IPs that are actually coming through an external interface):

block in log quick on ep0 from 192.168.0.0/24 to any
block in log quick on ep0 from localhost to any
block in log quick on ep0 from 0.0.0.0/32 to any
block in log quick on ep0 from 255.255.255.255/32 to any

The final component of this firewall is a "bastion firewall". The concept of a bastion firewall is a relatively simple one, and you'll find it in most texts on firewalls: One firewall machine has a live IP address and uses port forwarding to machines on a private subnet to distribute service provision and load. In this case, we'll discuss configuring the firewall so that httpd services are provided by 192.168.0.10, a server on the internal network, through the firewall with a
live IP of 210.8.218.252. The reasoning for this can vary. For example, with a Windows NT server running a highly insecure SQL Server yet a relatively secure IIS
Server (httpd), the firewall both protects the NT server and conserves live IP space by keeping it on the internal range. Assuming the firewall is otherwise already configured, adding the port forwarding to facilitate this is a simple change:

1. Edit /etc/ipnat.rules:

rdr ep0 210.8.218.252/32 port 80 -> 192.168.0.10 port 80

This line configures IPNAT such that any request to 210.8.218.252:80 is forwarded to 192.168.0.10:80, and 192.168.0.10's response to the request is forwarded back out.

2. Restart ipnat to reflect this configuration change:

ipnat -CF /etc/ipnat.rules

As this article has demonstrated, the key functionality of a firewall lies in the configuration process and how well an individual firewall is set up for its conditions, not the particular firewall package used. The IPF/NAT system used by OpenBSD is extremely robust and is capable of anything that commercial competitors such as Checkpoint are. When implementing a firewall, remember -- it is a COMPONENT of network security, nothing more.

David Jorm
has been involved with open source and security projects for several years, originally with OpenBSD and Debian GNU/Linux, now with the development team at wiretapped.net.